IDMEF and IODEF

The Service class describes network services on sources and targets. It can identify services by name, port, and protocol. When Service occurs as an aggregate class of Source, it is understood that the service is one from which activity of interest is originating; and that the service is "attached" to the Node, Process, and User information also contained in Source. Likewise, when Service occurs as an aggregate class of Target, it is understood that the service is one to which activity of interest is being directed; and that the service is "attached" to the Node, Process, and User information also contained in Target. If Service occurs in both Source and Target, then information in both locations should be the same. If information is the same in both locations and implementers wish to carry it in only one location, they should specify it as an aggregate of the Target class.

digraph Service {
	graph [bb="0,0,647,328",
		rankdir=LR
	];
	node [label="\N"];
	Service	 [height=2.7361,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca3a3" HREF="/idmef_parser/IDMEFv1/Service.html" TITLE="The Service class describes network services on sources and targets. It can identify services by name, port, and protocol. When Service occurs as an aggregate class of Source, it is understood that the service is one from which activity of interest is originating; and that the service is &quot;attached&quot; to the Node, Process, and User information also contained in Source. Likewise, when Service occurs as an aggregate class of Target, it is understood that the service is one to which activity of interest is being directed; and that the service is &quot;attached&quot; to the Node, Process, and User information also contained in Target. If Service occurs in both Source and Target, then information in both locations should be the same. If information is the same in both locations and implementers wish to carry it in only one location, they should specify it as an aggregate of the Target class. "><FONT FACE="Nimbus Sans L">Service</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/Service.html" TITLE="The name of the service.  Whenever possible, the name from the IANA list of well-known ports SHOULD be used."><FONT FACE="Nimbus Sans L">[STRING] name (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/Service.html" TITLE="The port number being used."><FONT FACE="Nimbus Sans L">[INTEGER] port (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/Service.html" TITLE="A list of port numbers being used; see Section 3.2.8 for formatting rules.  If a portlist is given, the iana_protocol_number and iana_protocol_name MUST apply to all the elements of the list."><FONT FACE="Nimbus Sans L">[PORTLIST] portlist (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/Service.html" TITLE="Additional information about the protocol being used.  The intent of the protocol field is to carry additional information related to the protocol being used when the &lt;Service&gt; attributes iana_protocol_number or/and iana_protocol_name are filed."><FONT FACE="Nimbus Sans L">[STRING] protocol (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/Service.html" TITLE="A unique identifier for the service; see Section 3.2.9."><FONT FACE="Nimbus Sans L">[STRING] ident (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/Service.html" TITLE="The IP version number."><FONT FACE="Nimbus Sans L">[INTEGER] ip_version (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/Service.html" TITLE="The IANA protocol number."><FONT FACE="Nimbus Sans L">[INTEGER] iana_protocol_number (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/Service.html" TITLE="The IANA protocol name."><FONT FACE="Nimbus Sans L">[STRING] iana_protocol_name (Optional)</FONT></td></tr>%</table>>,
		pos="146.5,184.5",
		shape=plaintext,
		width=4.0694];
	WebService	 [height=1.5694,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca3a3" HREF="/idmef_parser/IDMEFv1/WebService.html" TITLE="The WebService class carries additional information related to web traffic. "><FONT FACE="Nimbus Sans L">WebService</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/WebService.html" TITLE="The URL in the request."><FONT FACE="Nimbus Sans L">[STRING] url (Required)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/WebService.html" TITLE="The CGI script in the request, without arguments."><FONT FACE="Nimbus Sans L">[STRING] cgi (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/WebService.html" TITLE="The HTTP method (PUT, GET) used in the request."><FONT FACE="Nimbus Sans L">[STRING] http-method (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/WebService.html" TITLE="The arguments to the CGI script."><FONT FACE="Nimbus Sans L">[STRING] arg (Optional)</FONT></td></tr>%</table>>,
		pos="488,271.5",
		shape=plaintext,
		width=3.0694];
	Service -> WebService	 [arrowtail=invempty,
		dir=back,
		pos="s,293.31,221.9 303.25,224.43 328.3,230.81 353.74,237.3 377.42,243.33"];
	SNMPService	 [height=2.7361,
		label=<<table BORDER="0" CELLBORDER="1" CELLSPACING="0"> <tr> <td BGCOLOR="#cca3a3" HREF="/idmef_parser/IDMEFv1/SNMPService.html" TITLE="The SNMPService class carries additional information related to SNMP traffic. The aggregate classes composing SNMPService must be interpreted as described in RFC 3411 [15] and RFC 3584 [16]. "><FONT FACE="Nimbus Sans L">SNMPService</FONT></td> </tr>" %<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/SNMPService.html" TITLE="The object identifier in the request."><FONT FACE="Nimbus Sans L">[STRING] oid (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/SNMPService.html" TITLE="The SNMP version, typically 0 for SNMPv1, 1 for SNMPv2c, 2 for SNMPv2u and SNMPv2*, and 3 for SNMPv3; see RFC 3411 [15] Section 5 for appropriate values."><FONT FACE="Nimbus Sans L">[INTEGER] messageProcessingModel (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/SNMPService.html" TITLE="The identification of the security model in use, typically 0 for any, 1 for SNMPv1, 2 for SNMPv2c, and 3 for USM; see RFC 3411 [15] Section 5 for appropriate values."><FONT FACE="Nimbus Sans L">[INTEGER] securityModel (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/SNMPService.html" TITLE="The object&#39;s security name; see RFC 3411 [15] Section 3.2.2."><FONT FACE="Nimbus Sans L">[STRING] securityName (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/SNMPService.html" TITLE="The security level of the SNMP request; see RFC 3411 [15] Section 3.4.3."><FONT FACE="Nimbus Sans L">[INTEGER] securityLevel (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/SNMPService.html" TITLE="The object&#39;s context name; see RFC 3411 [15] Section 3.3.3."><FONT FACE="Nimbus Sans L">[STRING] contextName (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/SNMPService.html" TITLE="The object&#39;s context engine identifier; see RFC 3411 [15] Section 3.3.2."><FONT FACE="Nimbus Sans L">[STRING] contextEngineID (Optional)</FONT></td></tr>%<tr><td BGCOLOR="#FFCCCC"  HREF="/idmef_parser/IDMEFv1/SNMPService.html" TITLE="The command sent to the SNMP server (GET, SET, etc.)."><FONT FACE="Nimbus Sans L">[STRING] command (Optional)</FONT></td></tr>%</table>>,
		pos="488,98.5",
		shape=plaintext,
		width=4.4167];
	Service -> SNMPService	 [arrowtail=invempty,
		dir=back,
		pos="s,293.31,147.53 303.25,145.02 311.75,142.89 320.29,140.73 328.79,138.59"];
}

Service

Childs

WebService

SNMPService

Aggregates

name (Optional)

port (Optional)

portlist (Optional)

protocol (Optional)

Attributes

ident (Optional)

ip_version (Optional)

iana_protocol_number (Optional)

iana_protocol_name (Optional)

IDMEFv1

IDMEFv2

IODEFv1

IODEFv2